New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identify Managed AD Security Groups #6375
Conversation
if datastore['RESOLVE_MANAGERS'] | ||
begin | ||
managedby_cn = result[2][:value].split(/,(?<!\\,)/)[0] | ||
m = query("(&(objectClass=user)(objectCategory=person)(#{managedby_cn}))", 1, ['sAMAccountName']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If a Group is managed by a Group then this fails to resolve the 'Manager Account Name', although 'managedBy' will be correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will update this just to search on the distinguishedName
Bob manages Domain Admins
|
Overview
This module identifies AD groups which have the 'managedBy' attribute set (which will be the DN of a user who is allowed to manage the group). It will also optionally retrieve the sAMAccountName (username) of the user.
AD groups can be managed by otherwise low privileged users by setting the 'Managed By' attribute:
This is routinely used for distribution groups, but it turns out that security groups also support this option. If the 'manager can update membership list' option is set, it allows that user to add members to the group. This has two implications:
This module is concerned with Implication 1; identifying AD groups which have a manager set.
Explanation of Impact
On a test domain (goat.stu), an unprivileged user has been created with default privileges. As can be seen, this user does not have sufficient privileges to manipulate the domain admins group.
Executing this module initially shows no results.
However, if a domain admin user sets the unprivileged user to be the manager of the Domain Admins group and sets the 'Manager can update membership list' option:
The module now shows the presence of a managed group:
This then allows the unprivileged.user to add themselves (or any other user) to the Domain Admins group.
Module
The purpose of this module is simply to identify any groups that have managers. It cannot at the moment determine whether the 'Manager can update membership list' is set because this is encoded into the nTSecurityDescriptor attribute which will need more work to obtain and parse. However, if a compromised user is the manager of a particular group which itself can access sensitive information, this would be a useful way of laterally moving, especially as the manager does not have to be a permanent member of the group. As per the example above, it could also be a sneaky way of persisting once privileged access has been obtained, because the presence of this setting is not obvious.
This is not something that is regularly seen but is worth checking for.
Options
Conclusion
This module is not likely to be regularly used, but could reveal an otherwise hidden horizontal privilege escalation vulnerability. It is unusual for groups to be managed by non-domain admins but is not unheard of.
Further Work
The main improvement that this module needs is to be able to obtain and parse the nTSecurityDescriptor attribute which will allow results to be filtered to only include those for who the 'manager can update membership list' options is set.